diff options
| author | Jan Venekamp <jan@venekamp.net> | 2022-11-20 02:08:20 +0100 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2023-03-04 19:39:32 +0100 |
| commit | 9b6605ec4c3ad6a6e5b6964b02a28d171a5802b5 (patch) | |
| tree | 684202d19536a2f7555e713420f8d481608d00a0 | |
| parent | f49a2fdc4fb4a3bc95c228ade38332685197210f (diff) | |
| download | uci-9b6605ec4c3ad6a6e5b6964b02a28d171a5802b5.tar.gz | |
uci: fix use-after-free uci_set on update option
When uci_set is called with ptr->o set and ptr->option = NULL,
then in uci_expand_ptr ptr->option is set to ptr->o->e.name.
This will result in use-after-free because ptr->option is used in
the call to uci_add_delta after uci_free_option(ptr->o).
Signed-off-by: Jan Venekamp <jan@venekamp.net>
| -rw-r--r-- | list.c | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -725,15 +725,16 @@ int uci_set(struct uci_context *ctx, struct uci_ptr *ptr) ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section); ptr->last = &ptr->s->e; } else if (ptr->o && ptr->option) { /* update option */ - struct uci_option *o; + struct uci_option *old = ptr->o; if ((ptr->o->type == UCI_TYPE_STRING) && !strcmp(ptr->o->v.string, ptr->value)) return 0; - o = ptr->o; ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value); - uci_free_option(o); + if (ptr->option == old->e.name) + ptr->option = ptr->o->e.name; + uci_free_option(old); ptr->last = &ptr->o->e; } else if (ptr->s && ptr->section) { /* update section */ char *s = uci_strdup(ctx, ptr->value); |